Insider Threat Security Reference Architecture

Size: px
Start display at page:

Download "Insider Threat Security Reference Architecture"

Transcription

1 Insider Threat Security Reference Architecture Joji Montelibano Andrew Moore April 2012 TECHNICAL REPORT CMU/SEI-2012-TR-007 ESC-TR CERT Program

2 Copyright 2012 Carnegie Mellon University and IEEE. This work first appeared in Proceedings of the 45th Annual Hawaii International Conference on System Sciences. This material is based upon work funded and supported by the United States Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. This report was prepared for the Contracting Officer ESC/CAA 20 Shilling Circle Building 1305, 3rd Floor Hanscom AFB, MA NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and No Warranty statements are included with all reproductions and derivative works. External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at Carnegie Mellon and CERT are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. TM Carnegie Mellon Software Engineering Institute (stylized), Carnegie Mellon Software Engineering Institute (and design), Simplex, and the stylized hexagon are trademarks of Carnegie Mellon University. * These restrictions do not apply to U.S. government entities. SEI markings v3.2 / 30 August 2011

3 Table of Contents Abstract vii 1 Introduction 1 2 The Components of the ITSRA 2 3 Empirical Foundations and Standards 3 4 Application of the ITSRA The ITSRA Matrix 7 5 Correlation Incident Response and Targeted Monitoring 10 6 Sample Instantiation of ITSRA: Theft of Intellectual Property Solution 12 7 Conclusion 16 References 17 CMU/SEI-2012-TR-007 i

4 CMU/SEI-2012-TR-007 ii

5 List of Figures Figure 1: Opportunities for Prevention, Detection, and Response for an Insider Attack 1 Figure 2: Insider Threat Security Reference Architecture 2 Figure 3: Figure 4: The Insider Threat Security Reference Architecture Is Derived from the NIST Enterprise Architecture Model [EOPUS 2007, NIST 2009] and the Federal Enterprise Architecture [CIOC 2001, EOPUS 2007] 4 ITSRA Combines with Attack Pattern Library to Form a Customized Enterprise Security Architecture 6 Figure 5: Authorized Access Controls Span All Layers of the ITSRA 9 Figure 6: Theft of IP Pattern 13 Figure 7: Theft of IP Pattern with ITSRA Superimposed 13 Figure 8: ITSRA Acceptable Use Controls for Theft of IP 15 CMU/SEI-2012-TR-007 iii

6 CMU/SEI-2012-TR-007 iv

7 List of Tables Table 1: Sample Security Architectures 7 Table 2: The ITSRA Matrix Sample Subset of Controls per ITSRA Layer 8 CMU/SEI-2012-TR-007 v

8 CMU/SEI-2012-TR-007 vi

9 Abstract The Insider Threat Security Reference Architecture (ITSRA) provides an enterprise-wide solution to insider threat. The architecture consists of four security layers: Business, Information, Data, and Application. Organizations should deploy and enforce controls at each layer to address insider attacks. None of the layers function in isolation or independently of other layers. Rather, the correlation of indicators and application of controls across all four layers form the crux of this approach. Empirical data consisting of more than 700 cases of insider crimes show that insider attacks proved successful in inflicting damage when an organization failed to implement adequate controls in any of three security principles: authorized access, acceptable use, and continuous monitoring. The ITSRA draws from existing best practices and standards as well as from analysis of these cases to provide actionable guidance for organizations to improve their posture against the insider threat. CMU/SEI-2012-TR-007 vii

10 CMU/SEI-2012-TR-007 viii

11 1 Introduction From the time an insider decides to attack to the point at which damage is done, there exist opportunities for the prevention, detection, and response to the attack. Ideally, the organization will be able to prevent the attack altogether. Failing this, the organization should have adequate controls in place to detect the malicious activity. Finally, the organization should have a proper incident response plan to mitigate the damages resulting from the insider s actions. The areas above and below the timeline in Figure 1 denote the data the organization should collect. The top portion represents nontechnical data, such as human resources (HR) records and physical security logs, while the bottom portion represents technical data, such as database logs and remote access logs. Figure 1: Opportunities for Prevention, Detection, and Response for an Insider Attack Correlation of data is the key. Such data will come from disparate sources across the enterprise, and the challenge is the correlation of such data to inform security staff without overwhelming them. The Insider Threat Security Reference Architecture (ITSRA) is designed to address this challenge. CMU/SEI-2012-TR-007 1

12 2 The Components of the ITSRA Figure 2 shows the four layers of the ITSRA. The Business Security layer contains high-level business requirements, such as an organization s mission. This layer involves the creation of policies, procedures, and other guidance that determines the level of security to be implemented in other layers. The Information Security layer describes the organization s underlying information infrastructure. This includes the information network and the components necessary to operate the organization s information services, such as routers, switches, and servers. This layer also contains the operating systems and software required to manage the infrastructure. The Data Security layer involves information assets considered to be proprietary to the organization. Such data can take the form of documents, spreadsheets, or databases. Finally, the Application Security layer addresses both internal development of software, as well as the deployment of nonoperating-system applications used to fulfill a particular business mission. A Content Management System (CMS) and a Customer Relationship Management (CRM) system are examples of such applications. The Application Security layer ensures that these programs adhere to the security requirements defined at the Business Security layer. Business Security Architecture Security Controls Information Security Architecture Data Security Architecture Security Controls Application Security Architecture Figure 2: Insider Threat Security Reference Architecture Security is the common thread running through all levels of a sound enterprise architecture. The two arrows on each side of the four layers indicate this cross-cutting role of security. There exists a wide body of research and products to help organizations implement security measures at each layer. For instance, secure business processes secure the business architecture layer, data protection mechanisms secure the data architecture layer, and so on. What is missing is a cohesive instrument that integrates disparate security controls into a single, comprehensive strategy. The ITSRA seeks to cover this gap by offering a structured approach to help organizations improve their level of preparedness to address the insider threat. CMU/SEI-2012-TR-007 2

13 3 Empirical Foundations and Standards Our research on insider threat is empirically based, drawn from rigorous analysis of over 700 actual cases of malicious insider activity [Cappelli 2009, Hanley 2011]. One such case illustrates how the ITSRA can be put to use. In this case, a foreign currency trader was able to cover up nearly $700 million in losses over a five-year period. He accomplished this by modifying the source code for his organization s trading system. The trader violated a number of Human Resources (HR) policies, including improper treatment of colleagues. However, because of his status as a star performer within the firm, he did not incur the organization s standard disciplinary actions. In this case, conventional standalone detection mechanisms, such as intrusion detection systems and configuration management (CM) systems, did not prove adequate to detect, let alone prevent, the crime. Rather, had principles of the ITSRA been applied, correlation of HR data would have triggered increased scrutiny and monitoring of this individual s online activities. This, when combined with an alert raised by the CM application revealing his changes to source code, would have uncovered the insider s illicit activities and, we believe, would have led to his earlier arrest and conviction. Needless to say, this may have even saved the organization itself from the financial loss and damaging publicity that followed. The NIST Enterprise Architecture Model (EAM) [EOPUS 2007, NIST 2009] and the Federal Enterprise Architecture (FEA) [CIOC 2001, EOPUS 2007] form the foundations of the ITSRA. The ITSRA uses these enterprise-level models as a basis because insider threat cannot be fully addressed by a single department within an organization. That is, insider threat is an enterprisewide problem and must be confronted with an enterprise-wide solution. The ITSRA is such a solution. Figure 3 captures the approach that is used to create the ITSRA. The arrows indicate the crossdissemination of security data gathered from different sources in the enterprise. This information sharing best informs and prepares the organization to prevent, detect, and respond to insider threats. CMU/SEI-2012-TR-007 3

14 NIST Enterprise Architecture Model Federal Enterprise Architecture Security Controls Business Security Architecture Information Security Architecture Data Security Architecture Application Security Architecture Insider Threat Security Reference Architecture Security Controls Controls include those that are administrative, technical, and physical as well as preventive, detective, compensating, and corrective. Figure 3: The Insider Threat Security Reference Architecture Is Derived from the NIST Enterprise Architecture Model [EOPUS 2007, NIST 2009] and the Federal Enterprise Architecture [CIOC 2001, EOPUS 2007] CMU/SEI-2012-TR-007 4

15 4 Application of the ITSRA The process of applying the ITSRA should involve refinement and customization at each layer to make the corresponding controls applicable to the organization in question. To this end, we created and analyzed an insider threat database to develop models of insider attack. Analysis of the more than 700 cases reveals that each case can be categorized into one of the following: IT sabotage theft of intellectual property (IP) fraud [Cappelli 2009] IT sabotage describes an insider s use of information technology (IT) infrastructure to direct specific harm at an organization or individual. Theft of IP involves the use of IT to steal IP from an organization. This includes industrial espionage involving insiders. Finally, fraud includes all cases involving insiders who used IT for the unauthorized modification, addition, or deletion of data for personal gain or theft. Based on these three categories, we have created different models or patterns that represent the sequence of events in a given attack vector [Hanley 2011, Moore 2009]. An organization wishing to apply the ITSRA can choose the relevant crime patterns that present the most visible threat to its operations. The ITSRA then offers granular recommendations at each security layer to address that particular attack vector. Figure 4 below describes how the ITSRA transitions from a highlevel reference architecture to an instantiated enterprise architecture customized to fit a specific organization s requirements. CMU/SEI-2012-TR-007 5

16 High-level ITSRA Insider threat attack pattern library Organization chooses insider threat pattern Figure 4: ITSRA Combines with Attack Pattern Library to Form a Customized Enterprise Security Architecture The customized enterprise security architecture shown above in Figure 4 takes the form of an ITSRA matrix, which we will describe below in Section 4.1. The ITSRA offers granular recommendations by combining both operational- and policy-based guidance from the insider threat research and existing best practices to provide recommended controls such as business process guidelines policy formulation legal controls switch configuration security information and event management (SIEM) rules intrusion prevention system signatures Detailed enterprise security architecture CMU/SEI-2012-TR-007 6

17 HR procedures physical security practices Most importantly, it combines all of these measures into a comprehensive and holistic framework that will better prepare an organization to prevent, detect, and respond to malicious insider activity. Table 1 below gives a sample listing of best practices available to security practitioners today. The ITSRA describes how these best practices can be integrated to form a truly enterpriseoriented framework. Table 1: Sample Security Architectures ITSRA Layer Security Architecture Business Sherwood Applied Business Security Architecture (SABSA) [SABSA 2011] NIST SP [NIST 2010] Zachman Framework [SABSA 2011] Six Sigma Information Open Security Architecture Cisco SAFE [Chung 2010] NIST SP [NIST 2009] Data Common Data Security (CDSA) [Blackwell 2009] Oracle Database Security [Oracle 2011] Application OWASP CERT Secure Coding Standards Microsoft Application Security [Microsoft 2010] 4.1 The ITSRA Matrix To develop the ITSRA, the authors superimposed the analysis of the insider threat database onto the best practices gleaned from the security architectures listed in Table 1 above. Specifically, in reviewing each architecture, we derived commonalities between different approaches and determined how these practices could have been applied to prevent or detect a specific attack. This approach revealed that security architectures are crafted to enforce the following most fundamental principles: authorized access acceptable use continuous monitoring Applying these three principles to the cases of insider crimes does indeed affirm that each criminal act can be attributed to an organization s failure to implement one or more of the three security principles above. Consider the case of the currency trader described in Section 3 above. Although his access to source code was authorized by the organization, his use of this privilege constituted unacceptable use. Although policies were in place restricting what was deemed acceptable, clearly in this case, there were insufficient means of enforcing such policies. The organization had separation-ofduties controls such that the back office verified every trade entered into the system. However, this particular insider social engineered the back office into skipping verification of his trades since he was the star. In addition, when back office personnel questioned some of his illegal CERT is a registered mark owned by Carnegie Mellon University. CMU/SEI-2012-TR-007 7

18 trades, he bullied them into overlooking their suspicions. So the business process controls were there, but not enforced. And because there was no correlation of issues between layers, management did not put the pieces of the puzzle together. In other words, although the organization may have instituted appropriate controls in the Business Security layer, it failed to extend such controls into the Information and Application layers, which allowed the trader to commit his crime. This reinforces the need to have a cross-cutting architecture that spans the breadth of all security layers. From another perspective, the organization granted authorized access to the trader and defined acceptable use, but it failed to apply continuous monitoring strategies to ensure that the trader adhered to these restrictions. Table 2 shows the ITSRA Matrix, which gives a high-level summary of controls recommended by various security architectures, categorized by layer and which security principle (authorized access, acceptable use, or continuous monitoring) it best addresses. Table 2: Business Information Data Application The ITSRA Matrix Sample Subset of Controls per ITSRA Layer Authorized Access Acceptable Use Continuous Monitoring legal guidance physical security separation of duties need-to-know account management host authentication (e.g., MAC address authentication) authentication, authorization, and accounting (AAA) multifactor authentication account management role-based access account management separation of duties legal guidance acceptable use policy change management firewalls proxies IDS/IPS file read/write restrictions data classification data tagging least privilege code review quality assurance filters HTTP/HTTPS proxies legal guidance audits assessments asset prioritization SIEM rules log correlation intrusion detection automated alerts incident response antivirus data loss prevention (DLP) intrusion detection database alerts audits peer review configuration and change management CMU/SEI-2012-TR-007 8

19 5 Correlation Insider cases in our database involved the exploitation of any one or more of the vulnerabilities shown in the ITSRA matrix. Current security architectures generally emphasize the need for controls to be in place to address the vulnerability in that particular layer [Blackwell 2009, Jabbour 2009]. What is needed is a formalized process to ensure that any countermeasures, whether they provide prevention, detection, or response controls, cross vertically across all security layers to provide the best protection possible. Figure 5 below shows a snapshot of the Authorized Access column of the ITSRA matrix, focusing on select controls per security layer. Authorized Access = control point. Security requirements are defined at the Business layer and must be implemented at each subsequent layer below. Figure 5: Authorized Access Controls Span All Layers of the ITSRA Any controls meant to enforce physical access to a closed area should also be extended into the logical realms of information, data, and application controls. Information controls may involve the existence of a dedicated account for that particular individual inside the closed area, along with multifactor authentication to confirm that individual s identity. Moving down to the data layer, file access controls for read-write privileges must be in place to restrict the individual s need-toknow access. For instance, an employee dedicated to biological research should not have any read access to internal salary records. Finally, if the closed area contains any sensitive applications, those applications must have appropriate safeguards in place to ensure authorized access. Using the investment trader as an example once again, if portions of the code should not have been accessible to him, a code management system such as CVS should have been in place to restrict his access. Just as in Figure 2, the arrows in Figure 5 go both directions across the ITSRA stack. While it is true that high-level security requirements should be defined at the Business layer, any data collected from controls in any of the bottom layers should likewise inform the top layers. This has CMU/SEI-2012-TR-007 9

20 major implications especially with regards to targeted monitoring, which will be discussed in Section 5.1 below. For instance, once controls have been implemented in a way suited to the ITSRA model, that in and of itself is not the desired end state. Rather, the continuous monitoring component is still in place. So if an insider were to violate a control in the Information, Data, or Application layers, this information should be communicated up to senior leadership so that they can take action and implement high-level business decisions, such as sanctioning the employee or even terminating employment. 5.1 Incident Response and Targeted Monitoring The preceding discussion describes the preventive and detective elements of the ITSRA. That is, defining requirements at the highest level and implementing relevant controls through the other ITSRA layers will position an organization well in countering any insider threats. There is, however, an additional dimension to the ITSRA, and that is incident response. Specifically, what mechanisms does the ITSRA have in place to adequately respond to an insider who has violated any security controls? For any clear violations or even criminal acts, the organization should define clear, unequivocal repercussions at the Business level in the form of policies. These policies should include specific actions to be taken, most commonly employee sanctions or termination, in the event of malicious insider activity. There may be cases, however, where the organization may have due cause to monitor a particular employee s activities after a policy violation takes place and even if sanctions are enforced. For example, many of the insiders in our database did indeed receive sanctions from leadership, but these did not deter them from committing their crimes. Rather, in some cases, insiders were further provoked and angered by these sanctions and were emboldened to carry out their attacks. In these cases, the organization should have a targeted monitoring policy in place that allows it to selectively monitor both online and at-work activities of any individual if warranted. Of course, such a policy will have to be crafted and approved by legal counsel to ensure that it conforms to local laws and that it does not violate privacy rights of individuals. Performing targeted monitoring does not require any additional investment in infrastructure. Rather, with the tools in place that already conform to the ITSRA, the organization will have the ability to fine tune its security devices to observe any person s activities. Empirical data shows that employing such targeted monitoring might have prevented many insiders from causing damage to their respective companies [Cappelli 2009, Hanley 2011, Moore 2009]. In one case, an insider was the subject of many complaints from fellow workers, who reported inappropriate behavior including workplace intoxication and sexual harassment. Although the HR department did issue a formal reprimand to the employee, they did not inform the Information Security (IS) department of this individual s actions. Since the IS department had no cause to monitor this user s online activities, they failed to detect his planting a logic bomb in the company s infrastructure, which threatened to destroy several years worth of critical data. The insider also had access to backup media, whose sabotage could have prevented the organization from restoring its normal operations in a timely manner. In several other cases, insiders had previous criminal records for the very crimes they went on to commit again [Cappelli 2009]. In these cases, background checks failed to reveal the insiders criminal histories, and even when they did, personnel management did not inform the appropriate CMU/SEI-2012-TR

21 security departments to keep a closer eye on each person s activities. What we discovered in such cases was the existence of a figurative barrier of communication between respective departments, and an inordinate reluctance especially on the part of HR or personnel management to share any negative information about employees with any other party. The ITSRA seeks to break down these barriers where appropriate and necessary, and to enable a free flow of communication across all departments within an organization. CMU/SEI-2012-TR

22 6 Sample Instantiation of ITSRA: Theft of Intellectual Property As we mention in Section 3, the insider threat database contains more than 700 cases of insider crimes [Cappelli 2009, Hanley 2011]. Of that 700, roughly 90 of these cases deal with the theft of intellectual property (IP). To illustrate the utility of the ITSRA in addressing theft of IP, we consider the problem of an organization attempting to mitigate the risk of loss of its proprietary data [Moore 2009]. Our data on theft of IP shows that well over 50% of the insiders who stole information did so within 30 days of resignation [Cappelli 2009, Moore 2009]. Current case trends suggest that organizations regularly fail to detect theft of IP by insiders, and even when theft is detected, organizations find it difficult to attribute the crime to any specific individual. Monitoring employee behavior for suspicious actions worthy of further investigation can be expensive. These costs must be balanced against the risk of losing the organization s IP. Organizations need to ensure they do not violate employees privacy rights and have a valid ownership claim to the IP they wish to protect. Given these challenges facing an organization, we propose a solution described in Section 6.1 below. 6.1 Solution The solution is described in the context of Figure 6 below. Relationships are indicated as labeled arrows between distinct groups (e.g., HR) or bodies of information (e.g., critical IP). Relationships that exist as part of a sequential ordering are numbered accordingly. The relevant layer of the ITSRA is superimposed upon this diagram in Figure 7 to illustrate how the ITSRA addresses each component of the solution. As this figure illustrates, the principle of acceptable use is the most appropriate for application to theft of IP situations. This is because insiders who committed theft of IP most often had authorized access to the data they removed from the organization. CMU/SEI-2012-TR

23 Figure 6: Theft of IP Pattern Figure 7: Theft of IP Pattern with ITSRA Superimposed CMU/SEI-2012-TR

24 At the Business Security layer, an organization needs to make sure its employees agree, as a condition of employment, that the organization owns the critical IP (see Relationship 1 in Figure 6). The employee s clear and formal acceptance of the organization s IP ownership helps ensure that the organization s right to ownership will stand up in court. Consulting with the organization s legal counsel will help ensure the organization is on firm legal ground. The organization can convey ownership to employees through devices such as nondisclosure agreements, IP ownership policies, and references to IP ownership in a network-acceptable-use policy. At the Data Security layer, data owners need to identify and properly label their IP. They need to communicate the existence and sensitivity of the IP to IT Management (Relationship 2). They also need to communicate to HR the key insiders with access to critical IP (Relationship 3). Our data shows that scientists, engineers, programmers, and salespeople are especially likely to steal IP. At this point, the principles of targeted monitoring described in Section 5.1 above come into play. HR needs to track insiders who have access to the IP so that, when the insider resigns, HR can notify IT Management to monitor that insider s online behavior for signs of suspicious exfiltration of IP (Relationship 4). IT Management needs to take action concordant to the controls implemented in the Information Security (monitoring mechanisms, such as a SIEM) and Application Security layers of the ITSRA in this case, is the application to be monitored. In particular, IS staff should closely monitor the insider s access to critical IP during the 30-day window around termination (Relationship 5) because many IP thieves stole information within this window [Hanley 2011]. Although the organization may decide to monitor beyond the 30-day window, restricting monitoring to this period may allow the organization to balance the monitoring costs with the risks of losing the IP. No matter what level of monitoring is used, organizations must ensure that insiders are treated consistently and fairly. Typically, insiders need to consent to monitoring of their online actions as a condition of using the organization s systems, consistent with business and legal requirements previously defined at the Business Security layer. Investigation and response activities may be necessary if IT Management discovers suspicious activity by the insider. During the 30-day window, several items may warrant a detailed investigation: Download of a large volume of critical IP to removable media/laptop or via remote file access: Large-volume downloads close to insider termination may indicate that the insider is preparing to exfiltrate data. Case information suggests that users who exfiltrate a large amount of information via or other means first move that data over the network to their workstation. Movement of data within enclaves or across enclaves that exceeds normal traffic patterns may signal this type of event. to the organization s competitors or the insider s personal account: Most insiders who steal information through networked systems do so by either ing information off the network through a corporate account or through webmail. Corporate accounts can be configured to alert the organization to suspicious events from mail transaction logs. For example, if an organization enumerates (but does not blacklist) suspicious transactions, such as data transfers to competitors, then it can be alerted to any mail traffic generated to/from CMU/SEI-2012-TR

Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination

Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination Michael Hanley Joji Montelibano October 2011 TECHNICAL NOTE CMU/SEI-2011-TN-024 CERT Program http://www.sei.cmu.edu

More information

The CERT Top 10 List for Winning the Battle Against Insider Threats

The CERT Top 10 List for Winning the Battle Against Insider Threats The CERT Top 10 List for Winning the Battle Against Insider Threats Dawn Cappelli CERT Insider Threat Center Software Engineering Institute Carnegie Mellon University Session ID: STAR-203 Session Classification:

More information

An Application of an Iterative Approach to DoD Software Migration Planning

An Application of an Iterative Approach to DoD Software Migration Planning An Application of an Iterative Approach to DoD Software Migration Planning John Bergey Liam O Brien Dennis Smith September 2002 Product Line Practice Initiative Unlimited distribution subject to the copyright.

More information

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage CERT Insider Threat Center April 2011 NOTICE: THIS TECHNICAL DATA IS PROVIDED PURSUANT TO GOVERNMENT CONTRACT

More information

A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders

A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders Andrew P. Moore Michael Hanley David Mundie April 2012 TECHNICAL REPORT CMU/SEI-2012-TR-008 ESC-TR-2012-008 CERT

More information

The Key to Successful Monitoring for Detection of Insider Attacks

The Key to Successful Monitoring for Detection of Insider Attacks The Key to Successful Monitoring for Detection of Insider Attacks Dawn M. Cappelli Randall F. Trzeciak Robert Floodeen Software Engineering Institute CERT Program Session ID: GRC-302 Session Classification:

More information

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Management Model (CERT-RMM), both developed at Carnegie

More information

Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources

Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources George J. Silowash Christopher King January 2013 TECHNICAL NOTE CMU/SEI-2013-TN-002

More information

Merging Network Configuration and Network Traffic Data in ISP-Level Analyses

Merging Network Configuration and Network Traffic Data in ISP-Level Analyses Merging Network Configuration and Network Traffic Data in ISP-Level Analyses Timothy J. Shimeall, Ph.D. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Presentation Title

More information

Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks

Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks Dawn M. Cappelli Andrew P. Moore CERT Program Software Engineering Institute Carnegie Mellon University 04/09/08 Session Code:DEF-203

More information

INCIDENT RESPONSE CHECKLIST

INCIDENT RESPONSE CHECKLIST INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

2012 CyberSecurity Watch Survey

2012 CyberSecurity Watch Survey 2012 CyberSecurity Watch Survey Unknown How 24 % Bad is the Insider Threat? 51% 2007-2013 Carnegie Mellon University 2012 Carnegie Mellon University NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY

More information

DoD Software Migration Planning

DoD Software Migration Planning DoD Software Migration Planning John Bergey Liam O Brien Dennis Smith August 2001 Product Line Practice Initiative Technical Note CMU/SEI-2001-TN-012 Unlimited distribution subject to the copyright. The

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

Spotlight On: Insider Threat from Trusted Business Partners

Spotlight On: Insider Threat from Trusted Business Partners Spotlight On: Insider Threat from Trusted Business Partners February 2010 Robert M. Weiland Andrew P. Moore Dawn M. Cappelli Randall F. Trzeciak Derrick Spooner This work was funded by Copyright 2010 Carnegie

More information

Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM ) Framework, Version 1.0

Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM ) Framework, Version 1.0 Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM ) Framework, Version 1.0 Christopher J. Alberts Sandra G. Behrens Richard D. Pethia William R. Wilson June 1999 TECHNICAL

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Cyber Intelligence Workforce

Cyber Intelligence Workforce Cyber Intelligence Workforce Troy Townsend Melissa Kasan Ludwick September 17, 2013 Agenda Project Background Research Methodology Findings Training and Education Project Findings Workshop Results Objectives

More information

The Business Case for Security Information Management

The Business Case for Security Information Management The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un

More information

Moving Target Reference Implementation

Moving Target Reference Implementation CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP Moving Target Reference Implementation Software Engineering Institute, Carnegie Mellon University Andrew O. Mellinger December 17, 2014

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Applying Software Quality Models to Software Security

Applying Software Quality Models to Software Security Applying Software Quality Models to Software Security Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Carol Woody, Ph.D. April 21, 2015 Copyright 2015 Carnegie Mellon University

More information

Information & Asset Protection with SIEM and DLP

Information & Asset Protection with SIEM and DLP Information & Asset Protection with SIEM and DLP Keeping the Good Stuff in and the Bad Stuff Out Professional Services: Doug Crich Practice Leader Infrastructure Protection Solutions What s driving the

More information

Risk Management Framework

Risk Management Framework Risk Management Framework Christopher J. Alberts Audrey J. Dorofee August 2010 TECHNICAL REPORT CMU/SEI-2010-TR-017 ESC-TR-2010-017 Acquisition Support Program Unlimited distribution subject to the copyright.

More information

Network Monitoring for Cyber Security

Network Monitoring for Cyber Security Network Monitoring for Cyber Security Paul Krystosek, PhD CERT Network Situational Awareness 2006 Carnegie Mellon University What s Coming Up The scope of network monitoring Cast of characters Descriptions

More information

White Paper. Information Security -- Network Assessment

White Paper. Information Security -- Network Assessment Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer

More information

Software Vulnerabilities in Java

Software Vulnerabilities in Java Software Vulnerabilities in Java Fred Long October 2005 CERT Unlimited distribution subject to the copyright. Technical Note CMU/SEI-2005-TN-044 This work is sponsored by the U.S. Department of Defense.

More information

SUPPLIER SECURITY STANDARD

SUPPLIER SECURITY STANDARD SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard

More information

A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders

A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders Andrew P. Moore apm@cert.org Michael Hanley mhanley@cert.org David Mundie dmundie@cert.org CERT Program, Software

More information

Software Security Engineering: A Guide for Project Managers

Software Security Engineering: A Guide for Project Managers Software Security Engineering: A Guide for Project Managers Gary McGraw Julia H. Allen Nancy Mead Robert J. Ellison Sean Barnum May 2013 ABSTRACT: Software is ubiquitous. Many of the products, services,

More information

I D C A N A L Y S T C O N N E C T I O N

I D C A N A L Y S T C O N N E C T I O N I D C A N A L Y S T C O N N E C T I O N Robert Westervelt Research Manager, Security Products T h e R o l e a nd Value of Continuous Security M o nitoring August 2015 Continuous security monitoring (CSM)

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Cyber Security for NEI 08-09 GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4

More information

Exploring the Interactions Between Network Data Analysis and Security Information/Event Management

Exploring the Interactions Between Network Data Analysis and Security Information/Event Management Exploring the Interactions Between Network Data Analysis and Security Information/Event Management Timothy J. Shimeall CERT Network Situational Awareness (NetSA) Group January 2011 2011 Carnegie Mellon

More information

Data Loss Prevention Program

Data Loss Prevention Program Data Loss Prevention Program Safeguarding Intellectual Property Author: Powell Hamilton Senior Managing Consultant Foundstone Professional Services One of the major challenges for today s IT security professional

More information

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004 A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:

More information

FIVE PRACTICAL STEPS

FIVE PRACTICAL STEPS WHITEPAPER FIVE PRACTICAL STEPS To Protecting Your Organization Against Breach How Security Intelligence & Reducing Information Risk Play Strategic Roles in Driving Your Business CEOs, CIOs, CTOs, AND

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

Advanced Threats: The New World Order

Advanced Threats: The New World Order Advanced Threats: The New World Order Gary Lau Technology Consulting Manager Greater China gary.lau@rsa.com 1 Agenda Change of Threat Landscape and Business Impact Case Sharing Korean Incidents EMC CIRC

More information

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief RSA Solution Brief Streamlining Security Operations with Managing RSA the Lifecycle of Data Loss Prevention and Encryption RSA envision Keys with Solutions RSA Key Manager RSA Solution Brief 1 Who is asking

More information

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 TABLE OF CONTENTS

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section

More information

The CERT Approach to Cybersecurity Workforce Development

The CERT Approach to Cybersecurity Workforce Development The CERT Approach to Cybersecurity Workforce Development Josh Hammerstein Christopher May December 2010 TECHNICAL REPORT CMU/SEI-2010-TR-045 ESC-TR-2010-110 Enterprise and Workforce Development Unlimited

More information

LogRhythm and NERC CIP Compliance

LogRhythm and NERC CIP Compliance LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate

More information

Security Practices for Online Collaboration and Social Media

Security Practices for Online Collaboration and Social Media Cisco IT Best Practice Collaboration Security Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media January 2012 2013 Cisco and/or its affiliates. All rights reserved.

More information

Guide to Using DoD PKI Certificates in Outlook 2000

Guide to Using DoD PKI Certificates in Outlook 2000 Report Number: C4-017R-01 Guide to Using DoD PKI Certificates in Outlook 2000 Security Evaluation Group Author: Margaret Salter Updated: April 6, 2001 Version 1.0 National Security Agency 9800 Savage Rd.

More information

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media January 2012 Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media January 2012 All contents are Copyright 1992 2012 Cisco Systems, Inc. All rights reserved. This document

More information

Recession Calls for Better Change Management Separation of duties, logging paramount in times of great, rapid change

Recession Calls for Better Change Management Separation of duties, logging paramount in times of great, rapid change Recession Calls for Better Change Management Separation of duties, logging paramount in times of great, rapid change Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI Final Draft for March 2009 CSI Alert I

More information

AB 1149 Compliance: Data Security Best Practices

AB 1149 Compliance: Data Security Best Practices AB 1149 Compliance: Data Security Best Practices 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: AB 1149 is a new California

More information

CERT Resilience Management Model (CERT -RMM) V1.1: NIST Special Publication 800-66 Crosswalk

CERT Resilience Management Model (CERT -RMM) V1.1: NIST Special Publication 800-66 Crosswalk CERT Resilience Management Model (CERT -RMM) V1.1: NIST Special Publication 800-66 Crosswalk Lisa R. Young, Software Engineering Institute Ma-Nyahn Kromah, SunGard Availability Services October 2013 TECHNICAL

More information

Office of Inspector General

Office of Inspector General Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit

More information

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Los Alamos National Laboratory's Cyber Security Program DOE/IG-0880 February 2013 Department

More information

FedRAMP Standard Contract Language

FedRAMP Standard Contract Language FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal

More information

WHITEPAPER. Data Security for Office 365 Balancing control & usability

WHITEPAPER. Data Security for Office 365 Balancing control & usability WHITEPAPER Data Security for Office 365 Balancing control & usability Contents Executive Summary... 2 Top Security Issues for Office 365... 4 Compelled Disclosures... 4 Unauthorized Sharing... 4 External

More information

White Paper An Enterprise Security Program and Architecture to Support Business Drivers

White Paper An Enterprise Security Program and Architecture to Support Business Drivers White Paper An Enterprise Security Program and Architecture to Support Business Drivers seccuris.com (866) 644-8442 Contents Introduction... 3 Information Assurance... 4 Sherwood Applied Business Security

More information

Cyber Security for NERC CIP Version 5 Compliance

Cyber Security for NERC CIP Version 5 Compliance GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...

More information

Breach Found. Did It Hurt?

Breach Found. Did It Hurt? ANALYST BRIEF Breach Found. Did It Hurt? INCIDENT RESPONSE PART 2: A PROCESS FOR ASSESSING LOSS Authors Christopher Morales, Jason Pappalexis Overview Malware infections impact every organization. Many

More information

Insider Threat Control: Using Universal Serial Bus (USB) Device Auditing to Detect Possible Data Exfiltration by Malicious Insiders

Insider Threat Control: Using Universal Serial Bus (USB) Device Auditing to Detect Possible Data Exfiltration by Malicious Insiders Insider Threat Control: Using Universal Serial Bus (USB) Device Auditing to Detect Possible Data Exfiltration by Malicious Insiders George J. Silowash Todd B. Lewellen January 2013 TECHNICAL NOTE CMU/SEI-2013-TN-003

More information

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Elasticsearch, Logstash, and Kibana (ELK)

Elasticsearch, Logstash, and Kibana (ELK) Elasticsearch, Logstash, and Kibana (ELK) Dwight Beaver dsbeaver@cert.org Sean Hutchison shutchison@cert.org January 2015 2014 Carnegie Mellon University This material is based upon work funded and supported

More information

Contact: Henry Torres, (870) 972-3033

Contact: Henry Torres, (870) 972-3033 Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

Getting Ahead of Malware

Getting Ahead of Malware IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,

More information

GE Measurement & Control. Cyber Security for NERC CIP Compliance

GE Measurement & Control. Cyber Security for NERC CIP Compliance GE Measurement & Control Cyber Security for NERC CIP Compliance GE Proprietary Information: This document contains proprietary information of the General Electric Company and may not be used for purposes

More information

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation Securing

More information

Supply-Chain Risk Management Framework

Supply-Chain Risk Management Framework Supply-Chain Risk Management Framework Carol Woody March 2010 Scope of SEI Work Context Significantly reduce the risk (any where in the supply chain) that an unauthorized party can change the behavior

More information

QRadar SIEM 6.3 Datasheet

QRadar SIEM 6.3 Datasheet QRadar SIEM 6.3 Datasheet Overview Q1 Labs flagship solution QRadar SIEM is unrivaled in its ability to provide an organization centralized IT security command and control. The unique capabilities of QRadar

More information

ITAR Compliance Best Practices Guide

ITAR Compliance Best Practices Guide ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations

More information

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division James Stevens is a senior member of the technical staff

More information

ADVANCED NETWORK SECURITY PROJECT

ADVANCED NETWORK SECURITY PROJECT AFRL-IF-RS-TR-2005-395 Final Technical Report December 2005 ADVANCED NETWORK SECURITY PROJECT Indiana University APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED. AIR FORCE RESEARCH LABORATORY INFORMATION

More information

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Seven Things To Consider When Evaluating Privileged Account Security Solutions Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?

More information

GAO INFORMATION SECURITY. FBI Needs to Address Weaknesses in Critical Network

GAO INFORMATION SECURITY. FBI Needs to Address Weaknesses in Critical Network GAO United States Government Accountability Office Report to the Honorable F. James Sensenbrenner Jr., House of Representatives April 2007 INFORMATION SECURITY FBI Needs to Address Weaknesses in Critical

More information

Implementing an Employee Monitoring Program

Implementing an Employee Monitoring Program Implementing an Employee Monitoring Program www.spectorsoft.com Decision Point: Why Monitor Employee Activity? The Reactive Decision The Proactive Decision Decision Point: What is Right for Your Organization?

More information

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014 Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................

More information

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK BACKGROUND The National Institute of Standards and Technology (NIST) Special Publication 800-53 defines a comprehensive set of controls that is the basis

More information

1 Introduction... 2 2 Product Description... 3 3 Strengths and Challenges... 5 4 Copyright... 5

1 Introduction... 2 2 Product Description... 3 3 Strengths and Challenges... 5 4 Copyright... 5 KuppingerCole Report EXECUTIVE VIEW by Alexei Balaganski May 2015 is a business-critical application security solution for SAP environments. It provides a context-aware, secure and cloud-ready platform

More information

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec Introduction Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec More than 20 years of experience in cybersecurity specializing

More information

Physical Access Control System

Physical Access Control System for the Physical Access Control System DHS/ALL 039 June 9, 2011 Contact Point David S. Coven Chief, Access Control Branch (202) 282-8742 Reviewing Official Mary Ellen Callahan Chief Privacy Officer (703)

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

Network Security Policy: Best Practices White Paper

Network Security Policy: Best Practices White Paper Security Policy: Best Practices White Paper Document ID: 13601 Introduction Preparation Create Usage Policy Statements Conduct a Risk Analysis Establish a Security Team Structure Prevention Approving Security

More information

CAPTURE-THE-FLAG: LEARNING COMPUTER SECURITY UNDER FIRE

CAPTURE-THE-FLAG: LEARNING COMPUTER SECURITY UNDER FIRE CAPTURE-THE-FLAG: LEARNING COMPUTER SECURITY UNDER FIRE LCDR Chris Eagle, and John L. Clark Naval Postgraduate School Abstract: Key words: In this paper, we describe the Capture-the-Flag (CTF) activity

More information

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer) I. Title A. Name: Information Systems Security Incident Response Policy B. Number: 20070103-secincidentresp C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

More information

ALERT LOGIC FOR HIPAA COMPLIANCE

ALERT LOGIC FOR HIPAA COMPLIANCE SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare

More information

LogRhythm and HIPAA Compliance

LogRhythm and HIPAA Compliance LogRhythm and HIPAA Compliance The Department of Health and Human Services (HHS) enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure that personal information stored,

More information

CERT Virtual Flow Collection and Analysis

CERT Virtual Flow Collection and Analysis CERT Virtual Flow Collection and Analysis For Training and Simulation George Warnagiris 2011 Carnegie Mellon University Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden

More information

Implementing an Incident Response Team (IRT)

Implementing an Incident Response Team (IRT) 1.0 Questions about this Document CSIRT 2362 Kanegis Dr Waldorf, MD 20603 Tel: 1-301-275-4433 - USA 24x7 Incident Response: Martinez@csirt.org Text Message: Text@csirt.org Implementing an Incident Response

More information

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide COUNTERINTELLIGENCE O F F I C E O F T H E N A T I O N A L C O U N T E R I N T E L L I G E N C E Protecting Key Assets: A Corporate Counterintelligence Guide E X E C U T I V E Counterintelligence for the

More information

IBM Security QRadar Risk Manager

IBM Security QRadar Risk Manager IBM Security QRadar Risk Manager Proactively manage vulnerabilities and network device configuration to reduce risk, improve compliance Highlights Collect network security device configuration data to

More information

Streamlining Web and Email Security

Streamlining Web and Email Security How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Streamlining Web and Email Security sponsored by Introduction to Realtime Publishers by Don Jones, Series Editor

More information

Structuring the Chief Information Security Officer Organization

Structuring the Chief Information Security Officer Organization Structuring the Chief Information Security Officer Organization December 1, 2015 Julia Allen Nader Mehravari Cyber Risk and Resilience Management Team CERT Division Software Engineering Institute Carnegie

More information

IBM Security QRadar Vulnerability Manager

IBM Security QRadar Vulnerability Manager IBM Security QRadar Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution Highlights Help prevent security breaches by discovering and highlighting high-risk

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

Lessons Learned CIP Reliability Standards

Lessons Learned CIP Reliability Standards Evidence for a requirement was not usable due to a lack of identifying information on the document. An entity should set and enforce a "quality of evidence" standard for its compliance documentation. A

More information